$STANDARD_INFORMATION
__ and __ $FILE_NAME
.$STANDARD_INFORMATION
.$STANDARD_INFORMATION
but not the information inside $FILE_NAME
. Therefore, it's possible to identify suspicious activity.$STANDARD_INFORMATION
and $FILE_NAME
comparison$STARNDAR_INFORMATION
and $FILE_NAME
. However, from Windows Vista it's necessary a live OS to modify this information.$logfile
and $usnjrnl
can show that some data was added:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs
and HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackEnabled
, both to zero in order to signal that we want UserAssist disabled.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\<hash>
.regedit
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management\PrefetchParameters
EnablePrefetcher
and EnableSuperfetch
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
.NtfsDisableLastAccessUpdate
. If it doesn’t exist, add this DWORD and set its value to 1, which will disable the process.KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
. Deleting this you will delete the USB history.
You may also use the tool USBDeview to be sure you have deleted them (and to delete them).setupapi.dev.log
inside C:\Windows\INF
. This should also be deleted.vssadmin list shadowstorage
Delete them running vssadmin delete shadow
HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot
cipher /w:C
This will indicate cipher to remove any data from the available unused disk space inside the C drive.for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }
reg add 'HKLM\SYSTEM\CurrentControlSet\Services\eventlog' /v Start /t REG_DWORD /d 4 /f
WEvtUtil.exec clear-log
or WEvtUtil.exe cl
fsutil usn deletejournal /d c: